Group Policy when authenticating to Azure (365)
We have an on-prem domain syncing Users & Devices to our 365 (Azure) with AD Connect.
When an AD user authenticates against Azure (ie the login page has Access Work or School) the GPOs set on-prem do not apply to the User. Only Computer GPOs with Loopback Processing enabled apply.
The computer is still domain joined and the user exists on-prem and in Azure, so it's the same user account.
Can anyone explain what is happening? Or, how can I get them to apply?
Any help would be greatly appreciated.
When an AD user authenticates against Azure (ie the login page has Access Work or School) the GPOs set on-prem do not apply to the User. Only Computer GPOs with Loopback Processing enabled apply.
The computer is still domain joined and the user exists on-prem and in Azure, so it's the same user account.
Can anyone explain what is happening? Or, how can I get them to apply?
Any help would be greatly appreciated.
ASKER
Thank you, Jian.
We do have AD-Connect configured so I assume we have a 'hybrid' set-up.
The laptop and the user are in on-prem Active Directory.
The computer GPO settings apply but User GPO settings do not. Unless we apply 'loopback processing' and then the User GPO settings on the laptop OU apply for all users on that device.
Why don't existing User GPO settings apply?
We do have AD-Connect configured so I assume we have a 'hybrid' set-up.
The laptop and the user are in on-prem Active Directory.
The computer GPO settings apply but User GPO settings do not. Unless we apply 'loopback processing' and then the User GPO settings on the laptop OU apply for all users on that device.
Why don't existing User GPO settings apply?
If your laptop is joined to an on-premises Domain, then GPO will apply.
If your GPO apply to user GPO, then user GPO (and computer GPO) will work
if your GPO apply to laptop GPO, then computer GPO will apply. If you put loopback processing, the user GPO will also apply. this usually happens on Terminal servers that the user GPO is different than your normal user GPO.
Reference: https://techgenix.com/managing-terminal-services-group-policy
If your GPO apply to user GPO, then user GPO (and computer GPO) will work
if your GPO apply to laptop GPO, then computer GPO will apply. If you put loopback processing, the user GPO will also apply. this usually happens on Terminal servers that the user GPO is different than your normal user GPO.
Reference: https://techgenix.com/managing-terminal-services-group-policy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I shall make sure all User settings are explicitly set at the GPO where Loopback processing is enabled.
If it is domain joined or hybrid joined. GPO will take precedence over anything else.
there is nothing specific you need.
If it is windows 10, i will go down to hybrid join (configure your AADConnect correctly)
For SSO,
with hybrid joined (or cloud joined), you will have windows 10 SSO (PRT SSO)
if domain joined, you will need to use AADConnect SSO (and add the URL to intranet)
I don't think I want to mention anything about cloud joined until you are ready.